WAF Weekly: FortiBleed Hits 75K Devices, F5 Patches Critical NGINX Flaws, June 13-19 2026
FortiBleed exposes 75K Fortinet firewall credentials. F5 patches critical NGINX RCE flaws. Popa botnet traced to NASDAQ-listed proxy firm. Plus Cloudflare AI agent tools for SASE.
FortiBleed: 75,000 Fortinet Firewalls Compromised in Credential Harvesting Campaign
The biggest story this week: a campaign dubbed "FortiBleed" has exposed working administrator credentials for roughly 75,000 Fortinet FortiGate firewalls across 194 countries and over 21,000 domains. That is roughly half of all internet-facing Fortinet devices found on Shodan.
Security researchers at SOCRadar, Hudson Rock, and Kevin Beaumont confirmed the credentials are real and current. The attackers used no zero-day. Instead, they systematically scanned for Fortinet devices, brute-forced passwords using a 45-GPU cracking cluster, and harvested configuration files containing admin and SSL VPN credentials. At least four organizations were fully compromised, including a Turkish NATO defense contractor from which classified documents were stolen.
WAFplanet take: This is a textbook case of why patching alone is not enough. Credential rotation after every firmware update, enforcing MFA on management interfaces, and removing admin portals from the public internet are baseline requirements for any firewall deployment. If your WAF or firewall admin panel is reachable from the internet with password-only auth, you are in the blast radius.
Source: CSO Online | The Next Web
F5 Patches Critical NGINX Vulnerabilities (CVSS 9.2)
F5 released out-of-band security updates for multiple NGINX vulnerabilities, including two critical flaws rated CVSS 9.2. CVE-2026-42530 is a use-after-free in the HTTP/3 QUIC module, and CVE-2026-42055 is a heap-based buffer overflow in the HTTP/2 proxy and gRPC modules. Both can crash the NGINX worker process and allow remote code execution when ASLR is disabled or bypassed.
The affected products span NGINX App Protect WAF, NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Ingress Controller. F5 also patched two high-severity flaws in NGINX Gateway Fabric that allow authenticated config injection, plus two medium-severity issues.
WAFplanet take: NGINX powers a massive share of the internet's reverse proxy and WAF infrastructure. Critical RCE vulnerabilities in its HTTP/2 and HTTP/3 modules are exactly the kind of bugs that get weaponized fast. If you run NGINX in any WAF or gateway role, patch immediately. HTTP/3 can be disabled as a workaround for CVE-2026-42530.
Source: SecurityWeek | The Hacker News
Popa Botnet Traced to Publicly-Traded Israeli Proxy Firm
Krebs on Security reported that the Popa botnet, which has spent four years turning millions of Android TV boxes into residential proxy nodes, is linked to NetNut, a proxy provider operated by NASDAQ-listed Alarum Technologies (ALAR). The botnet is a component of the larger Vo1d malware campaign targeting cheap Android streaming devices.
Popa does not run DDoS attacks. Instead, it turns compromised devices into persistent communication tunnels for advertising fraud, account takeovers, and large-scale data scraping. Qurium found 1.4 million IP addresses involved in scraping operations routed through the botnet. After Google and HUMAN Security disrupted the related Badbox 2.0 botnet in July 2025, new control domains were registered, one of which (ninjatech.io) is linked to a NetNut VP of R&D.
WAFplanet take: Residential proxy botnets are a growing challenge for WAFs and bot management tools. When attack traffic comes from millions of real home IP addresses, traditional IP reputation and rate limiting break down. This is why behavioral analysis and device fingerprinting matter more than ever in bot detection.
Cloudflare Launches Design Partner Designation for SASE and AI Security
Cloudflare announced its Cloudflare One Design Partner Designation, a channel program focused on its SASE suite. The first partners include Arctiq, Consortium, CMT, Presidio, and The Missing Link. The program includes a new "Cloudflare One Stack" that provides AI agent skills for evaluating, deploying, and managing Cloudflare One, with blueprint configurations and automated workflows.
WAFplanet take: The interesting angle here is not the channel program itself but the AI agent integration. Cloudflare is building structured knowledge and tool definitions that AI agents can use to manage security infrastructure. If this works as described, it lowers the expertise barrier for deploying SASE and could change how security teams configure WAF policies at scale.
Also Notable
- CrowdStrike and AWS are collaborating to address AI security blind spots in cloud environments, focusing on visibility gaps in AI workloads and model deployments.
- The FBI warned about fraud websites using fake login pages designed to bypass firewall protections, targeting American consumers with credential theft campaigns.
The Bigger Picture
This week's headlines paint a consistent theme: the perimeter is not holding. FortiBleed showed that 75,000 firewalls can be compromised without any novel exploit, just industrial-scale password cracking. The NGINX vulnerabilities remind us that the software running our WAFs and reverse proxies needs the same urgent patching we demand for application code. And the Popa botnet investigation reveals how the commercial proxy industry and botnet operators are increasingly hard to tell apart.
The common thread? Security infrastructure is only as strong as the operational discipline behind it. Rotate credentials, patch aggressively, and stop trusting IP-based security models.
